Synopsys Point of View
It’s well-acknowledged within development circles that with security comes complexity. And as we all know, complexity is the enemy of the developer. Why? Because navigating it requires time, and time is the most precious of commodities in the SDLC.
So how can organizations get the application security they need without sacrificing the time they can’t afford?
The answer boils down to automation, integration, and training.
As noted in the Gartner report, one of the main things to get right is adapting your security testing tools to the developers, not the other way around. This means automating and integrating tools that run in the background, utilizing the “spell check effect.” That allows developers to find and fix defects while they are coding instead of waiting to address a batch of issues that the security team dumps on them later.
Automation, however, doesn’t mean autonomous. Many kinds of tests are required throughout the SDLC, including static analysis (SAST) and dynamic analysis (DAST), and software compositions analysis (SCA). It also requires manual review, triage, and remediation efforts.
Empowering developers to take on some of the security responsibilities requires more and better training, even if the expectation isn’t for them to become security experts. They need to understand the basics of secure coding and the myriad ways applications can be attacked. The idea is to allow the security team to function more as subject matter experts and consultants, available to interpret automated results, without upending workflows with a pile of changes at the end of the SDLC.